So, spending hours trying to debug their software we figured out their Antivirus was blocking JavaScript CORS requests.
The guys at Sophos know they’re breaking standard web-functionality and have a fix ready but will not release it to its free customers.

Oh, and you know what else they said? They said I should just tell our customers to disable Sophos Antivirus to fix the issue. Being the compliant guy I always am that’s exactly what I’ll do: Stop using Sophos Antivirus, now.